{"id":"CVE-2019-16884","details":"runc through 1.0.0-rc8, as used in Docker through 19.03.2-ce and other products, allows AppArmor restriction bypass because libcontainer/rootfs_linux.go incorrectly checks mount targets, and thus a malicious Docker image can mount over a /proc directory.","aliases":["GHSA-fgv8-vj5c-2ppq","GO-2021-0085"],"modified":"2026-04-16T04:38:11.346576654Z","published":"2019-09-25T18:15:13.057Z","related":["ALSA-2019:4269","CGA-x28q-hfg9-3p5x","SUSE-SU-2019:2786-1","SUSE-SU-2019:2787-1","SUSE-SU-2019:2810-1","SUSE-SU-2020:0035-1","SUSE-SU-2020:0065-1","SUSE-SU-2021:1458-1","openSUSE-SU-2019:2418-1","openSUSE-SU-2019:2434-1","openSUSE-SU-2020:0045-1","openSUSE-SU-2024:11358-1"],"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DGK6IV5JGVDXHOXEKJOJWKOVNZLT6MYR/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SPK4JWP32BUIVDJ3YODZSOEVEW6BHQCF/"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2023/02/msg00016.html"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/62OQ2P7K5YDZ5BRCH2Q6DHUJIHQD3QCD/"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2023/03/msg00023.html"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00010.html"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2019:3940"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202003-21"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/4297-1/"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00009.html"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00073.html"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20220221-0004/"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2019:4074"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2019:4269"},{"type":"REPORT","url":"https://github.com/opencontainers/runc/issues/2128"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/docker/docker","events":[{"introduced":"0"},{"last_affected":"ed20165a37b40ff1cfbe55e218344c5e89f30ee2"},{"introduced":"0"},{"last_affected":"63df8cf4b5d6473291eaf499107825c41af3b5e4"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"19.03.2"},{"introduced":"0"},{"last_affected":"18.04"}]}},{"type":"GIT","repo":"https://github.com/opencontainers/runc","events":[{"introduced":"2598484b97994f61781e4f40b9782e0809e4e2c2"},{"last_affected":"baf6536d6259209c3edfa2b22237af82942d3dfa"},{"introduced":"0"},{"last_affected":"04f275d4601ca7e5ff9460cec7f65e8dd15443ec"},{"introduced":"0"},{"last_affected":"c91b5bea4830a57eac7882d7455d59518cdf70ec"},{"introduced":"0"},{"last_affected":"75f8da7c889acc4509a0cf6f0d3a8f9584778375"},{"introduced":"0"},{"last_affected":"2e7cfe036e2c6dc51ccca6eb7fa3ee6b63976dcd"},{"introduced":"0"},{"last_affected":"4fc53a81fb7c994640722ac585fa9ca548971871"},{"introduced":"0"},{"last_affected":"ccb5efd37fb7c86364786e9137e22948751de7ed"},{"introduced":"0"},{"last_affected":"69ae5da6afdcaaf38285a10b36f362e41cb298d6"},{"introduced":"0"},{"last_affected":"425e105d5a03fabd737a126ad93d62a9eeede87f"}],"database_specific":{"versions":[{"introduced":"0.0.1"},{"last_affected":"0.1.1"},{"introduced":"0"},{"last_affected":"1.0.0-rc1"},{"introduced":"0"},{"last_affected":"1.0.0-rc2"},{"introduced":"0"},{"last_affected":"1.0.0-rc3"},{"introduced":"0"},{"last_affected":"1.0.0-rc4"},{"introduced":"0"},{"last_affected":"1.0.0-rc5"},{"introduced":"0"},{"last_affected":"1.0.0-rc6"},{"introduced":"0"},{"last_affected":"1.0.0-rc7"},{"introduced":"0"},{"last_affected":"1.0.0-rc8"}]}}],"versions":["0.0.3","docs-v1.12.0-rc4-2016-07-15","upstream/0.1.2","upstream/0.1.3","v0.0.1","v0.0.2","v0.0.3","v0.0.4","v0.0.5","v0.0.6","v0.0.7","v0.0.8","v0.1.0","v0.1.1","v0.1.2","v0.1.3","v0.1.4","v0.1.5","v0.1.6","v0.1.7","v0.1.8","v0.2.0","v0.2.1","v0.2.2","v0.3.0","v0.3.1","v0.3.2","v0.4.1","v0.4.2","v0.4.4","v0.4.5","v0.4.7","v0.5.0","v0.6.5","v0.7.0","v0.7.1","v0.7.2","v1.0.0-rc1","v1.0.0-rc2","v1.0.0-rc3","v1.0.0-rc4","v1.0.0-rc5","v1.0.0-rc6","v1.0.0-rc7","v1.0.0-rc8","v18.04.0-ce","v18.04.0-ce-rc2","v18.06.0-ce-rc1","v18.09.0-ce-tp0","v19.03.0","v19.03.0-beta1","v19.03.0-beta2","v19.03.0-beta3","v19.03.0-beta4","v19.03.0-beta5","v19.03.0-rc2","v19.03.0-rc3","v19.03.1","v19.03.2","v19.03.2-beta1","v19.03.2-rc1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-16884.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"29"}]},{"events":[{"introduced":"0"},{"last_affected":"30"}]},{"events":[{"introduced":"0"},{"last_affected":"31"}]},{"events":[{"introduced":"0"},{"last_affected":"15.0"}]},{"events":[{"introduced":"0"},{"last_affected":"15.1"}]},{"events":[{"introduced":"0"},{"last_affected":"4.1"}]},{"events":[{"introduced":"0"},{"last_affected":"4.2"}]},{"events":[{"introduced":"0"},{"last_affected":"8.0"}]},{"events":[{"introduced":"0"},{"last_affected":"8.1"}]},{"events":[{"introduced":"0"},{"last_affected":"8.2"}]},{"events":[{"introduced":"0"},{"last_affected":"8.4"}]},{"events":[{"introduced":"0"},{"last_affected":"8.2"}]},{"events":[{"introduced":"0"},{"last_affected":"8.4"}]},{"events":[{"introduced":"0"},{"last_affected":"8.2"}]},{"events":[{"introduced":"0"},{"last_affected":"8.4"}]},{"events":[{"introduced":"0"},{"last_affected":"19.10"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}